Next: vnc_generate_client, Previous: vnc_generate_ca, Up: vnc_generate_cert
Each server (or host) needs to be issued with a key and certificate. When connecting the certificate is sent to the client which validates it against the CA certificate. The core piece of information for a server certificate is the hostname. This should be the fully qualified hostname that the client will connect with, since the client will typically also verify the hostname in the certificate. On the host holding the secure CA private key:
# cat > server.info <<EOF organization = Name of your organization cn = server.foo.example.com tls_www_server encryption_key signing_key EOF # certtool --generate-privkey > server-key.pem # certtool --generate-certificate \ --load-ca-certificate ca-cert.pem \ --load-ca-privkey ca-key.pem \ --load-privkey server server-key.pem \ --template server.info \ --outfile server-cert.pem
The server-key.pem
and server-cert.pem
files should now be securely copied
to the server for which they were generated. The server-key.pem
is security
sensitive and should be kept protected with file mode 0600 to prevent disclosure.